7T Interactive Graphical SCADA System Multiple Security Vulnerabilities

2011.04.07
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

####################################################################### Luigi Auriemma Application: IGSS (Interactive Graphical SCADA System) http://www.igss.com http://www.7t.dk Versions: IGSSdataServer.exe <= 9.00.00.11063 Platforms: Windows Bug: multiple stack overflows Exploitation: remote, versus server Date: 21 Mar 2011 (found 10 Jan 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== IGSS (Interactive Graphical SCADA system) is a SCADA solution developed by the 7-Technologies and used mainly in Denmark and US. Informations from the vendor's website: "IGSS is the complete automation software &#65533; a SCADA system for process control and supervision - with a long row of releases since the start of 7T 25 years ago. At that time, 7T was the first company in the world to develop an object oriented and mouse operated SCADA system under the name of IGSS." ####################################################################### ====== 2) Bug ====== IGSSdataServer.exe is a server running on port 12401 active when the project is started. The opcode 0xd is used for the file operations that cover creation, reading, writing, deleting, renaming and so on. All the commands supported by this opcode except "FileReserve" (0x7) are affected by different buffer overflow vulnerabilities caused by the copying of the filename provided by the client in stack buffers of 256 bytes. The following is the list of the copying functions for each command (I don't remember the exact version from which I got them): "ListAll" (0x1) 00406e91 "Write File" (0x2) 004071dd "ReadFile" (0x3) 004072fd "Delete" (0x4) 00406fad "RenameFile" (0x5) 00407094 and 004070cf "FileInfo" (0x6) 0040746f ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/igss_2.zip nc SERVER 12401 < igss_2a.dat nc SERVER 12401 < igss_2b.dat nc SERVER 12401 < igss_2c.dat nc SERVER 12401 < igss_2d.dat nc SERVER 12401 < igss_2e.dat nc SERVER 12401 < igss_2f.dat ####################################################################### ====== 4) Fix ====== No fix. UPDATE 24 Mar 2011: version 11083 #######################################################################

References:

http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-03.pdf
http://www.vupen.com/english/advisories/2011/0741
http://www.securityfocus.com/bid/46936
http://www.exploit-db.com/exploits/17024
http://secunia.com/advisories/43849
http://aluigi.org/adv/igss_7-adv.txt
http://aluigi.org/adv/igss_5-adv.txt
http://aluigi.org/adv/igss_4-adv.txt
http://aluigi.org/adv/igss_3-adv.txt
http://aluigi.org/adv/igss_2-adv.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top